Debian alert: New PHP packages fix several vulnerabilities

Posted by dave on Sep 18, 2002 5:40 AM EDT
Mailing list
Mail this story
Print this story

Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 168-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 18th, 2002                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : PHP3, PHP4
Vulnerability  : bypassing safe_mode, CRLF injection
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2002-0985 CAN-2002-0986
BugTraq ID     : 5681

Wojciech Purczynski found out that it is possible for scripts to pass
arbitrary text to sendmail as commandline extension when sending a
mail through PHP even when safe_mode is turned on.  Passing 5th
argument should be disabled if PHP is configured in safe_mode, which
is the case for newer PHP versions and for the versions below.  This
does not affect PHP3, though.

Wojciech Purczynski also found out that arbitrary ASCII control
characters may be injected into string arguments of mail() function.
If mail() arguments are taken from user's input it may give the user
ability to alter message content including mail headers.

Ulf Harnhammar discovered that file() and fopen() are vulnerable to
CRLF injection.  An attacker could use it to escape certain
restrictions and add arbitrary text to alleged HTTP requests that are
passed through.

However this only happens if something is passed to these functions
which is neither a valid file name nor a valid url.  Any string that
contains control chars cannot be a valid url.  Before you pass a
string that should be an url to any function you must use urlencode()
to encode it.

Three problems have been identified in PHP:

1. The mail() function can allow arbitrary email headers to be
   specified if a recipient address or subject contains CR/LF
   characters.

2. The mail() function does not properly disable the passing of
   arbitrary command-line options to sendmail when running in Safe
   Mode.

3. The fopen() function, when retrieving a URL, can allow manipulation
   of the request for the resource through a URL containing CR/LF
   characters.  For example, headers could be added to an HTTP
   request.

These problems have been fixed in version 3.0.18-23.1woody1 for PHP3
and 4.1.2-5 for PHP4 for the current stable distribution (woody), in
version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in
the old stable distribution (potato) and in version 3.0.18-23.2 for
PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid).

We recommend that you upgrade your PHP packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc
      Size/MD5 checksum:     1079 82d2b9adff31130eafe78fe9c647d098
    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz
      Size/MD5 checksum:    39264 e44f4917ce887f53ac7019ab4e3692ba
    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz
      Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc
      Size/MD5 checksum:     1125 e9b5dbf3554c63dd654e69c83da63a97
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz
      Size/MD5 checksum:   134587 9a862082a0b60f6e2f0fa9c993d3ff19
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz
      Size/MD5 checksum:  2214630 e65b706a7fc4469d1ccd564ef8a2c534

  Alpha architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb
      Size/MD5 checksum:   438822 748bb657dff328c22920c186e2ab83a1
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb
      Size/MD5 checksum:   619332 e9dca7c64949f2d635ff5ed7da682c5d
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb
      Size/MD5 checksum:   520090 76a0ac1f943c108f28a4238723415367
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb
      Size/MD5 checksum:   868874 b8041d6976c11fbb63d0481869351658

  ARM architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb
      Size/MD5 checksum:   379276 3900254a218ea8b08f12adcee5826978
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_arm.deb
      Size/MD5 checksum:   490638 de60ee781cd3e2dc820fef82a1fe08a8

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_i386.deb
      Size/MD5 checksum:   359858 6ee0615cac086a0da432ed40e0edab68
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_i386.deb
      Size/MD5 checksum:   458174 be4d1d9c54ba0207f39dedfaaaa7d748
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_i386.deb
      Size/MD5 checksum:   412254 37751e39ac9688d17965cf947ed7f6fc
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_i386.deb
      Size/MD5 checksum:   635076 b1dfc5587ea2719ff5a789fc02bc27ec

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_m68k.deb
      Size/MD5 checksum:   355170 9b7fef1df1cc28988eb3f7fdde94dd61
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_m68k.deb
      Size/MD5 checksum:   429244 1aec470dce3cc9babe341661c7023281
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_m68k.deb
      Size/MD5 checksum:   408462 29b1bc7739a65d4ebd95d848bccbaf5c
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_m68k.deb
      Size/MD5 checksum:   592990 2d3fbdc339ba1692d1c7e98fc50b9920

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_powerpc.deb
      Size/MD5 checksum:   380012 c2990c5ec38b1fc4d218a51c750f9963
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_powerpc.deb
      Size/MD5 checksum:   492568 eebeab3f920fad4812f418045750a489
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_powerpc.deb
      Size/MD5 checksum:   451892 54e8183df00abee5c8498b4caed0a679
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_powerpc.deb
      Size/MD5 checksum:   689728 bd2aeebd0605f35395106a4ce0c76cef

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_sparc.deb
      Size/MD5 checksum:   371252 f3a0fb13377a8b5b67a851d2c204b87d
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_sparc.deb
      Size/MD5 checksum:   483476 e749a895f8e9d429d7e3d6eb0f35a945
    http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_sparc.deb
      Size/MD5 checksum:   435060 be65d0d8c66e0bdcf5aa3a337a019ea6
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_sparc.deb
      Size/MD5 checksum:   665368 2670abfe8104e7b93ce3eb82f82783ef


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1.dsc
      Size/MD5 checksum:     1113 defbd05ac28342105ddf3c40287c5d83
    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1.diff.gz
      Size/MD5 checksum:    56097 8b4c799d1802043c427c4072a8426370
    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz
      Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5.dsc
      Size/MD5 checksum:     1555 d499095a9ce5eaaa742c5e255935b162
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5.diff.gz
      Size/MD5 checksum:    87169 28eefab5c9a744844c99c5634512d21d
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2.orig.tar.gz
      Size/MD5 checksum:  3346579 37e67552bec20e6f02d52e14a11aa269

  Alpha architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_alpha.deb
      Size/MD5 checksum:   401238 8586e692ca92764162cf70df945be846
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_alpha.deb
      Size/MD5 checksum:   617530 cbf6b0a9ef2f301dc59a0769e801be13
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_alpha.deb
      Size/MD5 checksum:   712770 91e0fce43423f80bd88e6578e161ea6a
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_alpha.deb
      Size/MD5 checksum:   694394 97ae10670e4f0fe04ccfb61effaadba1
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_alpha.deb
      Size/MD5 checksum:  1292980 3ab48b33724395b5dc647928e1cbe307

  ARM architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_arm.deb
      Size/MD5 checksum:   371882 057479ece77bd2fa7852397d0a6e9747
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_arm.deb
      Size/MD5 checksum:   494742 93b09582be5f56755c0e214e0a68d534
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_arm.deb
      Size/MD5 checksum:   652346 fc06fdf3679e7282fb0f0a9319589604
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_arm.deb
      Size/MD5 checksum:   625852 7171107322617498e3e153aae73ba21f
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_arm.deb
      Size/MD5 checksum:  1076126 96ce32ae8083cce65c508f320a238c29

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_i386.deb
      Size/MD5 checksum:   361032 ac76b9d6c6fd1077a3a45f948f099e96
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_i386.deb
      Size/MD5 checksum:   461052 cb86db223af4f7a46801b44fd83a1a3d
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_i386.deb
      Size/MD5 checksum:   597540 eacc0fd36d2d564cdb086542e05edb25
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_i386.deb
      Size/MD5 checksum:   582018 b012d4f2cf0778f5156e27062cc01436
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_i386.deb
      Size/MD5 checksum:   990122 89904ac6614f385d319cecc599501e3e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_ia64.deb
      Size/MD5 checksum:   484866 ebc82ed226f7529b076224645af18485
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_ia64.deb
      Size/MD5 checksum:   753408 53354e05af67a4297c056545855e20fc
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_ia64.deb
      Size/MD5 checksum:   919602 f3c837dc49eaf6c2e39dd2292d851142
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_ia64.deb
      Size/MD5 checksum:   888678 1a01c7e9bbb8341e7c3b3741bd86d3aa
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_ia64.deb
      Size/MD5 checksum:  1600476 8f19c0af9708e53c6532645e4c886ef1

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_hppa.deb
      Size/MD5 checksum:   404392 9835e7434e1948ef9c2250f079993715
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_hppa.deb
      Size/MD5 checksum:   567200 5db5b1b5b3f7aa14f4a8d12863c156f1
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_hppa.deb
      Size/MD5 checksum:   756828 2f6dad96f5f72a162552fbbc910f0a9b
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_hppa.deb
      Size/MD5 checksum:   733924 e1b0b805d489f0315aeda262bcff2e9e
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_hppa.deb
      Size/MD5 checksum:  1211938 cc1f5afd4421b45f89fe9e845645ad69

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_m68k.deb
      Size/MD5 checksum:   357180 d7907f7aa2b5004e99b30ad8f61d304a
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_m68k.deb
      Size/MD5 checksum:   432586 e97d5d0aaa7add1be1131db274e80520
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_m68k.deb
      Size/MD5 checksum:   580528 f285c81661ec9c306f28cec5a2018f22
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_m68k.deb
      Size/MD5 checksum:   572374 0bed8e2be0fabc5d25c3868c9b374a2f
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_m68k.deb
      Size/MD5 checksum:   932280 2b2edee95d27b9e72f6c4087b0e92b9f

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_mips.deb
      Size/MD5 checksum:   363314 db293eaf7b775ed38ebf3642a1fad145
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_mips.deb
      Size/MD5 checksum:   509394 13cb1c6fb08b570eeb2ca9fb5b81c20e
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_mips.deb
      Size/MD5 checksum:   614724 432bfb1730842f7a858e9336af0436b6
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_mips.deb
      Size/MD5 checksum:   606654 b19a832117357ca211e9cfbeabc8153c
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_mips.deb
      Size/MD5 checksum:  1095146 c28c09e8f6f7c06d456071d055430eac

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_mipsel.deb
      Size/MD5 checksum:   362218 dc30c2f819623b5340a00e920f10f790
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_mipsel.deb
      Size/MD5 checksum:   507712 a5f46c32f5da4bd0d6578cb387948094
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_mipsel.deb
      Size/MD5 checksum:   609260 5eec777e950f7dc7bfe0042367e4109f
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_mipsel.deb
      Size/MD5 checksum:   602190 be8c7a63af072069984092434778b63a
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_mipsel.deb
      Size/MD5 checksum:  1089242 7b160f6ea1df6567c66914e466c0c3a2

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_powerpc.deb
      Size/MD5 checksum:   376530 6192fa01d1af74c451b9aaf3470ff857
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_powerpc.deb
      Size/MD5 checksum:   496076 1391775799a9cc8f09ea255f75310d0e
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_powerpc.deb
      Size/MD5 checksum:   652486 6e5dc8f02eee61bee99427a4f1bd014e
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_powerpc.deb
      Size/MD5 checksum:   637170 47de6b9690e3f19736e61643b32d1208
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_powerpc.deb
      Size/MD5 checksum:  1070680 7621d9244328daad7bd9f7d6a9060076

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_s390.deb
      Size/MD5 checksum:   371208 a86144204858b5af173a234428e28b44
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_s390.deb
      Size/MD5 checksum:   466596 1754b68279b062b4672c1f1ea967dec9
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_s390.deb
      Size/MD5 checksum:   630600 3314fd48a26554070d683531509fa805
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_s390.deb
      Size/MD5 checksum:   622616 763bdd50ed1f48194fca4e40d69c0cb9
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_s390.deb
      Size/MD5 checksum:  1000670 ae235537507a7cae42055c66e0dbab72

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_sparc.deb
      Size/MD5 checksum:   374664 30080342e0bac88b49f08d41a4454d29
    http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_sparc.deb
      Size/MD5 checksum:   489124 f50f94c018b0f3b59684edf7fdb1becc
    http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_sparc.deb
      Size/MD5 checksum:   629056 1504b0dfe0bbfe5d2da939d4c7cdcd18
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_sparc.deb
      Size/MD5 checksum:   614222 0c5cc999484624f6be5caadfee833490
    http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_sparc.deb
      Size/MD5 checksum:  1032494 b7fae376a617c97dc95724f16ce4b82c

  Please note that the source packages mentioned above produce more
  binary packages than the ones listed above.  They are not relevant
  for the fixed problems, though.

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9iIJjW5ql+IAeqTIRApM6AJ9MStVWq2jhj+RFXzTQWPtmgnE9/gCfR3c5
QOYehFCjKoVemooRjwsoJl4=
=XOe4
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.